cryptbot | 3c3ec4c1e29ddd7df20882f14db717567717772eba3c25063564c7b8a665ac06

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c9bc69219f434c0d872aa764bd8e624_JaffaCakes118.exe
Size

603KB
MD5

5c9bc69219f434c0d872aa764bd8e624
SHA1

968e1fcede080b4bf082448b39064a4a25d3d15d
SHA256

3c3ec4c1e29ddd7df20882f14db717567717772eba3c25063564c7b8a665ac06
SHA512

0fef741a425696c58831ef07b471e581b3fc7434d0d28069d5901505fa16cd09b2ba7e1893786538a8dd9219504c7bac0a52db8607032b3166e17ac776741fe5
SSDEEP

12288:/nZ8kWc1HDIX6EjUPS8vG2p6oTxu7hYAuczF39Pl9C52y:B8kWc5iixlJOYgR9N9

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

haibam72.top

morelm07.top

Attributes

payload_url
http://zelyoc10.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral2/memory/4328-2-0x0000000004940000-0x00000000049E0000-memory.dmp	family_cryptbot
behavioral2/memory/4328-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/4328-224-0x0000000004940000-0x00000000049E0000-memory.dmp	family_cryptbot
behavioral2/memory/4328-226-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/4328-225-0x0000000000400000-0x0000000002CCC000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c9bc69219f434c0d872aa764bd8e624_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5c9bc69219f434c0d872aa764bd8e624_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5c9bc69219f434c0d872aa764bd8e624_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4328	5c9bc69219f434c0d872aa764bd8e624_JaffaCakes118.exe
4328	5c9bc69219f434c0d872aa764bd8e624_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\UCDVM5cd.zip

Filesize
996KB

MD5
ac02881a06f3ea0c6c764b2c0e9b7fbf

SHA1
9681d88e6d5603f44fb2cb1977ec7a341d955082

SHA256
6fa9e18b8ad418fe53698858942cd11a1c2c3a1b1cc83c37775b898a10b6c074

SHA512
02fe97b18946ce35d937e03a07668894298109545784df0741ab5bd29e9bc146a06c85244d9a8a9445446436dfcf48269e5e3a1462be9c34bc71fe01796da582

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\_Files\_Files\SelectPush.txt

Filesize
952KB

MD5
aaf33e0617d5d192027795055a4255ae

SHA1
0a4f7fa249a70a0e46761f77805e718a134a5090

SHA256
fc006b943d4e1b654c84ed6a76ab96638fc3843094c6180bcae060649717f325

SHA512
99eafecb4b767a5bfe1e9422be28b5b7c6d9013736c9ac1cffb3dfd9040c9c71d2734ab27a45fc726be7680eaa843980c2c440d443ce07f53262113d53c4174c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\_Files\_Information.txt

Filesize
1KB

MD5
428f119f7da355df072bde2e93817021

SHA1
7f95758e1b37a7a99047daf3e3255e159cad3fe2

SHA256
41eecfcf9c17e60bf5124c3d4e9a5f642d3fef99c229e9faf1b7069d4989d80e

SHA512
7da1a46de46c75f47309e13976c9efdacd3152327d4882e0dac99c652ad44c4d907eedb718d58deb2688a3ccd264a2231dd4634385c6407043eded2c18651d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\_Files\_Information.txt

Filesize
3KB

MD5
92fe77cda0f60d02bf64131c7a9638d6

SHA1
3a1eaa173f8f5031e60cbb0498f4593f404618d8

SHA256
1f99f2987dfe7f78d8b8731a6475e4dd794f1d9a85278b832dbd6528c02a13c6

SHA512
1ce9a0695bc8933c03d6fbc62a781da185aa4a45672e4a01cb668c75011949d8311ca39154c522b40c2c10c8b5dea456398c7b0cc54aacf6972c4f23defe02f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\_Files\_Information.txt

Filesize
7KB

MD5
b313edfa400a1db146ec07bfd33f1e51

SHA1
e01e1b2f1f426d7a9c192ee31b2b9ad2eae846ef

SHA256
0138653fc3122e92501453d7b7c78fd060eb8f0637a1a8837376b54d0d7f2327

SHA512
3cf097642902781fe55d7c5ac8639fa756eb21d541be2af42ae725e5ddbb68fb7459e27d14374420cf8e9751f5833596cb5d41076bc4cb288f9dd6b9597848c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\_Files\_Screen_Desktop.jpeg

Filesize
48KB

MD5
c1e0eae2dc2e9d89890ba414d905a57e

SHA1
edd8b71badaf044611a16f37a0c245bfd796723c

SHA256
f728ff8a3c6b585c284cd7f0fa47e9f6d993deba38109b51b9883fd8101df525

SHA512
8b058d95cb506898873af00a90b4c1b8abcf6eb5b8c414b7d7c8c08ca49248c2c1487ab777f3b655b1a1c4212e7c2af36b8a431c79ace9e9c5b5d7fc3819686d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\files_\system_info.txt

Filesize
1KB

MD5
379967ab2a78acd5e493ce27169e4d07

SHA1
f5a9c8b586314a4ff6353717e6d539ee81ded68a

SHA256
1c57677dfa01f5a4df40cc1af5e45ca98f4e2ba3541ec101a004916b7375ef80

SHA512
65dee685f14c106a5a92c9431e38ea13265a9873607aa8a3a6ad7327df9cf0beebdb61aea22a08ef12248e382c1a12f04f0be386249dc2c5631ccda25ca40f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\files_\system_info.txt

Filesize
1KB

MD5
4740d6b7f5b633ce78692a37d0c8da5b

SHA1
edc6f02f1080e4d32eea05120b66c4b572e2b36f

SHA256
6e11cc3a70afff1f3c091673b279c04199d4a8f4a4a32bc901769f00548c8835

SHA512
57bf70b7e8dd8ffd29b96d2204ef24b78cb80d203d6bcded9c3bda4ef2c3f2598d358d4f02460983ea5016558ec51eba8663c1edbfb54508f6b9e12bcdffe0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\files_\system_info.txt

Filesize
1KB

MD5
f3173e1a557a93485546fe11d1cb679e

SHA1
5febbe2b8724791daa2b0048028410cda90c75ed

SHA256
e5d15c6302b8d64a55f95b59e175dc5b7724be93bf6c1a00bff79fef87e454ec

SHA512
b8ff2db01ded49e4f037e2a89203c6b1eb621feef6b24e985f6310f8668f36ae77d8676ca8d2260c4a7b1f30d62956a451269612d24f4cfa984a9e188413f808

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\files_\system_info.txt

Filesize
7KB

MD5
0905cef61cf83312402ab6f01bdc536c

SHA1
92ab679e84850a53bcc842c90ff91b0650b4a791

SHA256
37a5cb580ca54ee4d6bf08edf605681f575fad1f3701a9595c52c5cfa0c2e285

SHA512
7fb5f132a04370407a02b96ff079ff0830d58f2350df6af5d020097d8e06fad687bd020d3d6ab582252d3a44a270a3f6688bda6267533022461d316dca4f9714

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrnVeCmP1Go\zooePyTeboZJhg.zip

Filesize
996KB

MD5
04f79813302fb7a68f89da243f737b39

SHA1
97182344347e38019947b3df42aef4c05fc0c10a

SHA256
9d2480667babeb164c75990355a18cc12fc04377ea9b6dffd322e8eb61185015

SHA512
c2cb08ef209671c67266e34f4a6d392691a53a3ea73f8f55822ff3650e8da641dcfe962bedf1689d15a0f25ee62bbaa996fe601e3d0b4d34b5c254a41492aa25

Download Submit
memory/4328-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

Filesize
1024KB

Download
memory/4328-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4328-222-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

Filesize
1024KB

Download
memory/4328-224-0x0000000004940000-0x00000000049E0000-memory.dmp

Filesize
640KB

Download
memory/4328-226-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4328-225-0x0000000000400000-0x0000000002CCC000-memory.dmp

Filesize
40.8MB

Download
memory/4328-2-0x0000000004940000-0x00000000049E0000-memory.dmp

Filesize
640KB

Download